Method and system for access to secure resources

ABSTRACT

A system and method for accessing secured resources using a portable device. When a user with such a portable device is within close proximity to a locked door or other secured resource, a verification process can be automatically initiated on the device. The user verification could utilize all the input and sensor methods on the device. Once the identification process has successfully completed, an access code can be transmitted to the locked door or device via wired or wireless network. This allows for reduced electronics required at these locked doors and allows for more dynamic security measures.

BACKGROUND

1. Field of the Invention

This invention relates generally to a method apparatus and system forenabling secure access to secured resources. More particularly, thepresent invention relates to identifying a level of access a deviceand/or user is entitled based on a security level of the device and theaccess available to a user.

2. Background Discussion

Typically, in a secured resource system such as doors, computers andother devices, the secured devices will be unlocked when a user'sidentity and access is verified at a card reader physically attached tothe door, the computer or other devices. When there are a plurality ofdevices in the secured system, such an identification process is timeconsuming and inconvenient for the user, as it requires the user toperform the identification process at each of the secured device one byone, and the cost of the secured system is also increased because moreelectronics are required.

SUMMARY

Thus, the present invention is directed to a system and method foraccessing secured resources using a portable device. When a user withsuch a portable device is within close proximity to the locked door ordevice (resource), the verification process can be automaticallyinitiated on the device. The user verification may utilize all the inputand/or sensor methods or capabilities on the device or any desiredsubset of input/sensor methods. Once the identification process hassuccessfully been completed, an access code can be transmitted to thelocked door or device via wired or wireless network. This allows forreduced electronics required at these locked doors and allows for moredynamic security measures.

One embodiment of the present invention is directed to a method (themethod) for an external device to gain access to a secure area of aresource. The method includes transmitting a signal that identifies thatthe device is capable of authentication. An initiation of acommunication, from the identified device, with the resource isreceived. The initiation of communication is responded to bytransmitting one or more authentication mechanisms of the device, theauthentication mechanisms typically being hardware devices foridentifying an attribute of a user of the device. A request for use ofone or more of the authentication mechanisms is received. A token foreach of the requested authentication mechanisms is transmitted from thedevice to the resource. Access to the secure area is gained in responseto acceptance of the one or more of the tokens by the resource.

Another embodiment of the present invention is directed to the methodfor an external a device to gain access to a secure area of a resourcedescribed above in which the communication is wireless.

Another embodiment of the present invention is directed to the methodfor an external a device to gain access to a secure area of a resourcedescribed above in which the device is a portable device.

Yet another embodiment of the present invention is directed to themethod for an external a device to gain access to a secure area of aresource described above in which the authentication mechanism ispossession of the device.

Yet another embodiment of the present invention is directed to themethod for an external a device to gain access to a secure area of aresource described above in which the authentication mechanism is abiometric.

Yet another embodiment of the present invention is directed to themethod for an external a device to gain access to a secure area of aresource described above in which the external device transmits anactivation signal to the resource.

Yet another embodiment of the present invention is directed to a methodfor a resource to grant access to a secure area of the resource to anexternal device. The method includes receiving a signal from theexternal device that is capable of authentication. A communication withthe external device is initiated. A list of one or more authenticationtokens the external device capable of providing is received, theauthentication tokens being results of hardware devices for identifyingan attribute of a user of the external device. A request for one or moreauthentication tokens is transmitted. One or more authentication tokensin response to the request are received. The external device is grantedaccess to the secure area based upon acceptability of the one or moreauthentication tokens.

Yet another embodiment of the present invention is directed to themethod for a resource to grant access to a secure area of the resourcedescribed above in which the authentication token is a biometric.

Yet another embodiment of the present invention is directed to themethod for a resource to grant access to a secure area of the resourcedescribed above in which the communication is wireless.

Yet another embodiment of the present invention is directed to themethod for a resource to grant access to a secure area of the resourceby an external device wherein the resource transmits an activationsignal to the external device. This activation may be, for example, asignal that activates the external device and/or provides operatingpower to the device.

Yet another embodiment of the present invention is directed to a device(the device) for gaining access to a secure area of a resource. Thedevice includes a first transmitter to transmit a signal that identifiesthe device as capable of authentication. A first receiver receives aninitiation of a communication with the resource. A controller respondsto the initiation of the communication by transmitting one or moreauthentication mechanisms of the device, the authentication mechanismsbeing hardware devices for identifying an attribute of a user of thedevice. A second receiver receives a request for use of one or more ofthe authentication mechanisms. A second transmitter transmits a tokenfor each of the requested authentication mechanisms. The device furthergains access to the secure area in response to acceptance of the one ormore of the tokens by the resource.

Yet another embodiment of the present invention is directed to thedevice described above in which the communication is wireless.

Yet another embodiment of the present invention is directed to anauthentication unit (the authentication unit) of a resource for grantingaccess, to a secure area of the resource, to an external device. Theauthentication unit includes a first receiver to receive a signal fromthe external device that is capable of authentication. A communicatorinitiates wireless communication with the external device. A secondreceiver receives a list of one or more authentication tokens theexternal device is capable of providing, the authentication tokens beingresults of hardware devices for identifying an attribute of a user ofthe external device. A transmitter transmits a request for one or moreauthentication tokens. A third receiver receives one or moreauthentication tokens in response to the request. An authenticator unitgrants the external device access to the secure area based uponacceptability of the one or more authentication tokens.

BRIEF DESCRIPTION OF THE DRAWINGS

To the accomplishment of the foregoing and related ends, certainillustrative embodiments of the invention are described herein inconnection with the following description and the annexed drawings.These embodiments are indicative, however, of but a few of the variousways in which the principles of the invention may be employed and thepresent invention is intended to include all such aspects and theirequivalents. Other advantages, embodiments and novel features of theinvention may become apparent from the following description of theinvention when considered in conjunction with the drawings. Thefollowing description, given by way of example, but not intended tolimit the invention solely to the specific embodiments described, maybest be understood in conjunction with the accompanying drawings, inwhich:

FIG. 1 illustrates an example of a system of one embodiment of thepresent invention;

FIG. 2 illustrates an example of a schematic diagram of an embodiment ofthe present invention;

FIG. 3 illustrates an example of a series of steps according to anembodiment of the present invention;

FIG. 4 illustrates an example of authentication mechanisms according toan embodiment of the present invention;

FIG. 5 illustrates an example of security service module according to anembodiment of the present invention;

FIG. 6 illustrates a series of steps of accessing services in a securedresource having multiple levels of security according to an embodimentof the present invention;

FIG. 7 illustrates an example of a portable device according to anembodiment of the present invention;

FIG. 8 illustrates an example of a secured resource according to anembodiment of the present invention;

FIG. 9 illustrates a flowchart for an embodiment of the presentinvention in which the portable device provides power to the securedresource;

FIG. 10 illustrates a flowchart for an embodiment of the presentinvention in which the secured resource provides power forauthentication of the portable device;

FIG. 11 illustrates an example of a processing and memory module for aportable device.

DETAILED DESCRIPTION

It is noted that in this disclosure and particularly in the claimsand/or paragraphs, terms such as “comprises,” “comprised,” “comprising,”and the like can have the meaning attributed to it in U.S. patent law;that is, they can mean “includes,” “included,” “including,” “including,but not limited to” and the like, and allow for elements not explicitlyrecited. Terms such as “consisting essentially of” and “consistsessentially of” have the meaning ascribed to them in U.S. patent law;that is, they allow for elements not explicitly recited, but excludeelements that are found in the prior art or that affect a basic or novelcharacteristic of the invention. These and other embodiments aredisclosed or are apparent from and encompassed by, the followingdescription. As used in this application, the terms “component” and“system” are intended to refer to a computer-related entity, eitherhardware, a combination of hardware and software, software, or softwarein execution. For example, a component may be, but is not limited tobeing, a process running on a processor, a processor, an object, anexecutable, a thread of execution, a program, and/or a computer. By wayof illustration, both an application running on a server and the servercan be a component. One or more components may reside within a processand/or thread of execution and a component may be localized on onecomputer and/or distributed between two or more computers. Otherembodiments of the present invention include the methods described abovebut implemented using apparatus or programmed as computer code to beexecuted by one or more processors operating in conjunction with one ormore electronic storage media.

Furthermore, the detailed description describes various embodiments ofthe present invention for illustration purposes and embodiments of thepresent invention include the methods described and may be implementedusing one or more apparatus, such as processing apparatus coupled toelectronic media. Embodiments of the present invention may be stored onan electronic media (electronic memory, RAM, ROM, EEPROM) or programmedas computer code (e.g., source code, object code or any suitableprogramming language) to be executed by one or more processors operatingin conjunction with one or more electronic storage media. Thiselectronic storage media may include, for example a non-transitoryelectronic storage medium/media such as a register, or other electronicrepository or electronic storage location for data that is capable ofstoring data represented in electronic form, such as bits, bytes,kilobytes, waveforms, electronic signals, digital format and other datatypes and forms.

Embodiments of the present invention may be implemented using one ormore processing devices, or processing modules. The processing devices,or modules, may be coupled such that portions of the processing and/ordata manipulation may be performed at one or more processing devices andshared or transmitted between a plurality of processing devices.

FIG. 1 illustrates an example of a network system 100 that supportsembodiments of the present invention. The system 100 shown in FIG. 1includes a network 102, a secured resource 104, a server 106, and a user110 having access to one or more of a plurality of portable devices112(a), 112(b) . . . 112(n) (where “n” is any suitable number).

The network 102 is, for example, any combination of linked computers, orprocessing devices, adapted to transfer and process data. The network102 may be private Internet Protocol (IP) networks, as well as public IPnetworks, such as the Internet that can utilize World Wide Web (www)browsing functionality. An example of a wired network is a network thatuses communication buses and MODEMS, or DSL lines, or a local areanetwork (LAN) or a wide area network (WAN) to transmit and receive databetween terminals. An example of a wireless network is a wireless LAN.Global System for Mobile Communication (GSM) is another example of awireless network. The GSM network is divided into three major systemswhich are the switching system, the base station system, and theoperation and support system (GSM). Also, IEEE 802.11 (Wi-Fi) is acommonly used wireless network in computer systems, which enablesconnection to the Internet or other machines that have Wi-Fifunctionality. Wi-Fi networks broadcast radio waves that can be pickedup by Wi-Fi receivers that are attached to different computers.

The secured resource 104 may be, for example, a door, a computer (ormemory or accessible portion of a computer device), secured physicalcompartment and/or electronic location such as a database, website orother restricted or partially restricted area or a network, or portionsof a network, such as a VPN. In some cases, the security resource 104could have multiple levels of security, for example a computer networkthat offers a range of services, from simple email and calendar accessthrough access to more restricted areas, or levels, or resources, suchas financial statements, address book and/or confidential documents orother areas that have information that limited access to is desired. Thesecurity system attached to the secured resource 104 can identify thatthe user 110 is carrying a portable device 112 capable of authenticationand open a wired or wireless connection to that portable device.

The server module, or facility, or unit, 106 is typically one or moreprocessors with associated memory, such as computers, or otherprocessing devices such as a desktop computer, laptop computer, personaldigital assistant (PDA), wireless handheld device, cellular telephone,PLAYSTATION™, PSP™ and the like. They may be capable of processing andstoring data themselves or merely capable of accessing processed andstored data from another location (i.e., both thin and fat terminals).

User terminal 108 is shown as including a user 110 and one or moreportable devices 112 that the user 110 may have access or possession. Atthe user terminal 108, a user 110 may carry or access one or more of aplurality of portable devices 112(a) . . . (n) (generally referred to as112, herein). The portable devices 112 typically include devices withprocessing capabilities and memory and an output displays, such as, cellphone, personal digital assistant (PDA), wireless handheld device,PLAYSTATION™, PSP™ and the like. The portable devices 112 may be capableof processing and storing and displaying data themselves or merelycapable of accessing processed and stored data from another location(i.e., both thin and fat terminals) and displaying the accessed orretrieved data. It is also an embodiment of the present invention thatthe functionality of server 106 could also be part of secured resource104 and/or portable device 112.

The user terminal 108, using portable devices 112, submits securitytokens to the server module 106, via network 102. The server module 106receives security tokens from the user terminal 108 and sends the tokento security resource 104. The security resource 104 then executes theidentification process based on the received tokens.

Security resource 104, server module 106, and user terminals 108 arecoupled to network 102 via an associated bi-directional communicationmedium, which may be for example a serial bus such as IEEE 1394, orother wire or wireless transmission medium. The security resource 104,server module 106, and the user terminal 108 may be communicationappliances, or user locations, or subscriber devices, or clientterminals.

FIG. 2 illustrates a schematic diagram of an example of a system 200according to an embodiment of the present invention.

When user 110 wishes to access a secured resource 104, such as a lockedroom, compartment, or restricted area or portion of a network orelectronic storage area or database the user uses his/her portabledevice (shown as element 112 in FIG. 1 and element 216 in FIG. 2), whichis shown in FIG. 2 as equipped with a fingerprint scanner, to performwired or wireless communication 250 with the secured resource, such as alocked door, 104. If the secured resource 104 determines that afingerprint scan is appropriate, the user 110 swipes his/her finger 208over the portable device 216. Then the portable device 216 communicateswith the secured resource 104 regarding his/her fingerprint credentials.If the fingerprint is accepted by the secured resource 104, the securedresource 104, i.e., the locked room is unlocked.

Furthermore, as shown in FIG. 2, portable devices 210 and 212 illustrateother examples of portable devices equipped with other possible securitymechanisms. For example, a portable device 210 equipped with a numerictouch pad and/or passcode at which the user 110 may input a numericpassword or user identification or personal identification number (PIN).Furthermore, portable device 212 is equipped with a retinal scanner bywhich the user 110 may place his/her eye 214 to verify the identity of aperson. Secured resource 204 illustrates another type of securedresource, such as a PC-based resource. The various secured resources(shown as 104, 204) may be accessed by one or more portable devices.Each secured resource (104, 204) may have varying levels of resourcesecurity. For example, a key pad with numeric buttons that permit entryof a numeric code may adequate for accessing a low security levelresource while a retinal scanner of a particular individual may berequired for a higher level resource security.

As illustrated in FIG. 2, the security resource 104 could have multiplelevels of security for different services. In that case, when the useris granted access to the secured resource and requests a particularservice, a security token module of the security system determineswhether the user has been granted access to the requested serviceaccording to the security tokens provided by the user.

FIG. 3 illustrates a series of steps of accessing a secured resourceaccording to an embodiment of the present invention. FIG. 3 shows aprocess, which is for example, a series of steps, or program code, oralgorithm stored on an electronic memory or computer-readable medium.For example, the steps of FIG. 3 may be stored on a computer-readablemedium, such as ROM, RAM, EEPROM, CD, DVD, or other non-volatile memoryor non-transitory computer-readable medium. The process may also be amodule that includes an electronic memory, with program code storedthereon to perform the functionality. This memory is a structuralarticle. As shown in FIG. 3, the series of steps may be represented as aflowchart 300 that may be executed by a processor, processing unit, orotherwise executed to perform the identified functions and may also bestored in one or more memories and/or one or more electronic mediaand/or computer-readable media, which include non-transitory media aswell as signals. For example, the steps of FIG. 3 may be stored on acomputer-readable medium, such as ROM, RAM, EEPROM, CD, DVD, or othernon-volatile memory, non-transitory media. The program code stored on anelectronic memory medium is a structural element. The computer programcode, as an alternate form of flowchart 300 may be stored in any memoryas described herein and, for example, in portable device 112, server 106or secured resource 104. The process 300 begins with start step 302.

Step 304 shows that a user, having a portable device, approaches asecured resource and requests access to the secured resource. In step306, the secured resource identifies whether the portable device is inrange of the secured resource. If no portable device being capable ofauthentication is identified, “no” line 307 leads to step 308, and theuser, and thus the portable device, may move closer to the securedresource to make sure the device is within the close proximity (adistance sufficiently close to the resource such that the resource maycommunicate with portable device) to the secured resource and try torequest access again in step 304. As shown by line 311, the powerrequirement of the secured resource may be identified. This embodimentis described in more detail with reference to FIG. 9. Also the poweravailable at the portable device is identified. This power level of theportable device is useful to activate a secured resource (or portion ofthe secured resource). The power level of the portable device is thepower of the portable device to activate or signal a secured resource.The activation electrical power of the secured resource can also bedetermined. This activation power is the electrical power required toactivate the secured resource (or portion thereof) from a dormant orinactive state to an active state. Once the power level of the portabledevice is identified, a determination can be made as to whether thepower level of the portable device is adequate to activate the resource(or portion thereof). If the portable device power is adequate, theportable device sends an activation signal to the secured resource tocause the secured resource to activate.

The distance at which the portable device may communicate with thesecured resource is typically a function of transmission power and/orreception power of the respective devices. If a portable device capableof authentication is identified in step 306, “yes” line 309 leads tostep 310 which shows the security system opens a connection, which maybe a wired or wireless connection, to the identified portable device.Then in step 312 the portable device responds by sending its availableauthentication mechanisms, which is shown in FIG. 4.

Step 314 shows that the security system determines whether one or acombination of the available authentication mechanisms is appropriate tobe used. If none is appropriate, “no” line 315 leads to step 316, inwhich the security system determines whether there are any otherportable devices carried by the user. If it is determined that the useris not carrying any other portable devices capable of authentication,“no” line 321 leads to step 330 showing an end step. Otherwise, if otherportable devices are identified, “yes” line 319 leads back to step 310.Thus, the determination of portable device authentication capabilitiesis iterative and involve repeat identification of adequateauthentication capabilities or functions.

Referring back to step 314, if one or a combination of the availableauthentication mechanisms is determined to be acceptable, “yes” line 317leads to step 318 that shows the security system informs the portabledevice which authentication mechanism is required to be usedcorresponding to the appropriate authentication mechanisms via wired orwireless communications. Step 320 shows that after the portable devicereceives the information about the required security mechanisms, theportable device will obtain security tokens from the user and/orportable device through the required authentication mechanisms. Forexample, if the required authentication mechanism is retinal scanner,the portable device will request the user to place his/her eye by theretinal scanner, and if the required authentication mechanism isfingerprint scanner, the portable device will request the user to placehis/her finger by the fingerprint scanner. Then in step 322, thesecurity tokens obtained in step 320 are transmitted to the securitysystem of the secured resource.

Step 324 shows that the security system determines whether the receivedsecurity tokens are correct and/or sufficient to grant the user accessto the secured resource. If the security tokens are not correct or notsufficient, “no” line 325 leads to step 326 which shows the securitysystem will ask the portable device to provide other security tokens. Ifno more security tokens will be provided from the portable device, “no”line 329 leads back to step 316 showing that the security systemdetermines whether there are any other portable devices carried by theuser. If in step 326 the portable device will provide other securitytokens obtained from the user, “yes” line 331 leads back to step 320.Referring back to step 324, if the security tokens are correct andsufficient, “yes” line 327 leads to step 328 which shows the user isgranted access to the secured resource, and an end step 330 is reached.

As mentioned previously with respect to FIG. 2, the security resource104 could have multiple levels of security for different services. Inthat case, when the user is granted access to the secured resource andrequests a particular service, a security token module of the securitysystem determines whether the user has been granted access to therequested service according to the security tokens provided by the user.

FIG. 4 illustrates an example of information about authenticationmechanisms 400 according to an embodiment of the present invention. Theportable device capable of authentication sends to the security systeminformation about its authentication mechanisms 400, which includes, forexample, physical keypad 402, touch screen for virtual keypad 404, touchscreen or touchpad for gesture input 406, motion sensors for gestureinput 408, transmission device 410 capable of transmitting specialwireless signal (blue-tooth, RF, IR, etc.) or a special file used as thekey to access the secured system, fingerprint scanner 412, camera forface recognition 414, retinal scanner 416, microphone for voicerecognition 418, etc. While the illustrated authentication mechanismshave been shown in relation to FIG. 4, additional authenticationmechanisms could also be used.

FIG. 5 illustrates an example of security service module 500 accordingto an embodiment of the present invention. Security service module 500includes a processor module 502, a memory module 504 and a securityservice registration module 506. Security service module 500 may be amodule, “plug-in” unit, stand-alone unit or other facility that resideson another module or device. For example, security service module may bea component of, or executed by: portable device(s) 112; server 106;and/or secured resource 104, as described herein.

Processor module 502 is coupled to the security service registrationmodule 506 via an associated communication link to enable processormodule 502 and memory 504 to coordinate processing operations of themodules shown in FIG. 5. The processor module 502 includes a CPU 510,which is typically a processor that includes an arithmetic logic unit(ALU), which performs arithmetic and logical operations, and a controlunit (CU), which extracts instructions from memory and decodes andexecutes them, utilizing the ALU when necessary. An I/O interface may beused to operatively couple the components of processor module 502.

Memory module 504 stores programs, which include, for example, a webbrowser, algorithms, as well as typical operating system programs (notshown), input/output (I/O) programs (not shown), BIOS programs (notshown) and other programs that facilitate operation of security servicemodule 500. The web browser (not shown) is for example an Internetbrowser program such as Internet Explorer™. Memory module 504 may be,for example, an electronic storage medium, such as an electronic storagerepository that can store data used by security service module 500. Thememory module 504 may include, for example, RAM, ROM, EEPROM or othermemory media, such as an optical disk, optical tape, CD, or a floppydisk, a hard disk, or a removable cartridge, on which digitalinformation is stored in the form of bits. The memory module 504 mayalso be remote memory coupled to processing module 502 via wired orwireless bi-directional communication medium. A receiver/transmitter ortransceiver 505 is used to receive signals from a portable device. Thetransmitter is used to transmit signals from the secured resource to theportable device.

Security service registration module 506 includes all the securityservices of different security levels. For example, service group 512includes the services of security level 1, such as accessing to Emailand an electronic calendar; service group 514 includes the services ofsecurity level 2, such as accessing to financial statement and addressbook; service group 516 includes the services of security level 3, suchas accessing to confidential document; etc.

FIG. 6 illustrates a series of steps of accessing services of a securedresource having multiple levels of security according to an embodimentof the present invention. FIG. 6 shows a process, which is for example,a series of steps, or program code, or algorithm stored on an electronicmemory or computer-readable medium. For example, the steps of FIG. 6 maybe stored on a computer-readable medium, such as ROM, RAM, EEPROM, CD,DVD, or other non-volatile memory or non-transitory computer-readablemedium. The process may also be a module that includes an electronicmemory, with program code stored thereon to perform the functionality.This memory is a structural article. The computer program code, as analternate form of flowchart 600 may be stored in any memory as describedherein and, for example, in portable device 112, server 106 or securedresource 104. As shown in FIG. 6, the series of steps may be representedas a flowchart 600 that may be carried out by security service module ofFIG. 5. The process 600 begins with start step 602.

In step 604, a user is granted access to the secured resource which hasmultiple security levels, such as a computer. Step 606 shows that theuser requests access to a particular service at the secured resource,such as access to confidential documents. Line 607 shows that aflowchart to an embodiment in which the secured resource provides powerto the portable device is an embodiment of the present invention, asdescribed in relation to FIG. 10.

In Step 608 the security system determines that whether the securitytokens, provided by the user when he/she is granted access to thesecured resource, are correct and sufficient for accessing to therequested service. If the security tokens are not correct or notsufficient, “no” line 609 leads to step 610 which shows the securitysystem will ask the portable device to provide other security tokens. Ifno more security tokens will be provided from the portable device, “no”line 611 leads to step 612 showing that the access request to theservice is rejected, and an end step 616 is reached. If in step 610 theportable device provides other security tokens obtained from the user,“yes” line 613 leads back to step 608. Referring back to step 608, ifthe security token are correct and sufficient, “yes” line 615 leads tostep 614 which shows the user is granted access to the requestedservice, and an end step 616 is reached.

FIG. 7 illustrates an example of a portable device 112 according to anembodiment of the present invention. Portable device 112 is shown inFIG. 7 as a cellular telephone. Keypad 704 has a plurality of keys thatmay be used to access a secured resource. Menu button 702 and optionsbutton 706 may be used to facilitate operation in a mode for access,instead of making a telephone call. Biometric module 708 may be used toobtain biometric information (e.g., retinal scan, finger print) from auser. Display area, user interface or screen 718 may be used to providea display of available resources 720(a) . . . (n) (where “n” is anysuitable number). Transmitter 730 may be used to transmit a signal fromdevice 112 to any number of resources (as described herein). Dependingon the transmission strength of transmitter 730, the device may initiatea communication (e.g., wireless communication) with any resource that iswithin signal distance of the device 112. Sensor 740 may also be used todetermine whether the device 112 is able to initiate a communicationwith a resource.

The sensor 740 is used to sense signals from a resource that the device112 may be able to access. The sensor may be used to output anindication 742 that the device is in sufficiently close proximity to aresource. Indicator 742 may be an audio and/or visual representation ofthe sensor 740 detecting a resource, such as an LED, light, audiblesignal, ringtone or other alert.

Activate, or battery, module 750 may be used to identify that a resourceis in a power-down mode or “sleep” mode to conserve power. The activatemodule 750 may operate in conjunction with transmitter module 730 totransmit a signal from the portable device 112 to a resource so as tosignal that the resource needs to operate in an active mode rather thana power-down mode. Thus, the portable device 112 can activate a resourcethat has been inactive for an extended period of time by utilizing thebattery, or activate module 750.

Portable device 112 may be pre-registered with any number of resources,such that whenever portable device is within a predetermined distance,the portable device 112 will initiate communication with the particularresource(s). A code, or device identifier, such as a device PIN ordevice number, may be used to associate one or more devices asauthorized to open or access, or sense one or more resources.

Portable device 112 may also include one or more memories used to storealgorithms and programs, as described herein useful for implementationof the access functions.

Thus, it is also an embodiment of the invention that the portable devicemay provide power to the secured resource. For example, in a rarelyaccessed security system, an electronic door may not need a continuedpower source to keep its electrical mechanism running, so that theportable device may provide power to actuate the electronic door.

FIG. 8 illustrates an example of a secured resource 104 according to anembodiment of the present invention. The resource 104 includes atransmitter 802, authentication module 860, proximity module 870, accessmodule 806, power receptacle module 842, memory 824 and processor 826.These elements, or modules may be operatively coupled by a bus 890. Themodules, such as authentication module 860, proximity module 870 may befor example, non-transitory electronic storage registers that operate inconjunction with processor 826 to perform the function of the algorithm,or program code stored therein.

Transmitter 802 is used to transmit a signal from the resource 104 to aportable device. The proximity module 870 is used to detect that aportable device is within transmission signal distance of the resource.The authentication unit 860 is used to receive transmission signals froma portable device and ascertain whether the tokens transmitted by theportable device are acceptable for a certain level of access. The levelof access granted depends upon the type of tokens received.

Access module 806 is used to access the area of the resource 104authorized by the authentication module 860. The access module 806 maybe a lock or latch or electronic access capability. This access module806 will open (i.e., provide or enable access) when acceptedauthorization is received. The access module 806 will not open (i.e.,deny access) when the necessary authorization is not received. Theaccess module 806 is able to permit selective access. For example, theaccess module 806 may permit a user to access or view certain portionsof a database while prohibiting viewing of other portions of a data basethat require enhanced authentication.

Power receptacle module 842 is used to receive a signal from portabledevice to modify the mode of operation of the resource 104. For example,a portable device may transmit an activate signal to cause the resourceto become active from an energy or power-saving operational state. Thepower module 842 may also be used to store a minimum power thresholdvalue that represents the minimum power required to be received from aportable device to activate the secured resource. Also, the power module842 may store a minimum power threshold value for a portable device ininstances when the secured resource transmits a power signal to aportable device. Furthermore, the power module 842 may receive a poweractivation or power transmission signal to activate a portable device.This activation may include, for example, causing the portable device tooperate in a “wake-up” mode (as opposed to a “sleep” mode) or to causethe portable device to transmit a signal indicating the location of theportable device. Thus, the portable device and the secured resource cantransfer power between each other as well as use the portable device toactivate (either wake-up or permit access) the secured resource. Also,the power transmitted between the resource and the portable device maybe used to operate the resource and/or the portable device. For example,the resource may have magnetic coils, or other electrical power unitthat can be used to provide operating power to the resource. Theelectrical power unit can be activated by a signal from the portabledevice. Also, the portable device can be charged, recharged or poweredby the resource. Specifically, the portable device may be connected tothe resource to receive operating electrical power from the resource.

Memory module 824 and processing module 826 are used to store data andexecute instructions, respectively, for the resource 104.

FIG. 9 illustrates a flowchart 900 for an embodiment of the presentinvention in which the portable device provides power to the securedresource. As described above, in relation to FIG. 3, it is an embodimentof the present invention that the portable device, when located within apredetermined distance of a particular secured resource, provides anactivation signal to the secured resource, as shown in step 902. In step904 a determination is made whether power is needed to be provided tothe secured resource. If not, “no” line 907 shows that in step 910, thesecured resource may be activated. If it is determined that power isneeded in step 904, “yes” line 905 shows that in step 906, a power unit,such as a magnetic coil of an electrical generator, which may beinstalled in the secured resource, may be activated. Then the electricalgenerator provides adequate power that meets power requirement of thesecured resource to the secured resource, as show in step 908. And thesecured resource may be activated, as shown in step 910. At this point,the secured resource has power to determine whether the portable deviceis authorized to access one or more areas of the secured resource, asdescribed herein. End step 912 shows that this process ends. In otherwords, the secured resource can use the portable device as a powersource to activate an operation mode (“wake-up” mode as opposed to a“sleep-mode”) and use the power generated to operate, or may use theportable device signal to permit access to the secured resource. Thus,the portable device and the secured resource can transfer power betweeneach other.

FIG. 10 illustrates a flowchart 1000 for an embodiment of the presentinvention in which the secured resource provides power forauthentication of the portable device. As described above, in relationto FIG. 6, it is an embodiment of the present invention that the securedresource is able to identify a power requirement to authenticate aportable device, as shown in step 1002. In step 1004 the securedresource identifies power amount currently available at the portabledevice. In step 1006 a determination is made whether the portable devicehas adequate power to meet the power requirement. If not, “no” line 1007leads to step 1008. In step 1008, a determination is made whether thesecured resource has adequate power to meet the power requirement of theportable device. If not, “no” line 1013 shows that in step 1018 thepower amount available in the portable device is indicated.

In step 1008, if the secured resource is able to provide adequate powerto the portable device, “yes” line 1011 shows that in step 1010 thesecured resource provides power for authentication to the portabledevice by user's operation to plug the portable device into the securedresource. The power transmission may also be performed by wirelesstransmission. Line 1023 leads back to step 1004 in which power amount ofportable device is identified. In step 1006, if it is determined thatthe portable device has adequate power to meet the power requirement,“yes” line 1009 leads to step 1012.

In step 1012, a determination is made by the user whether the portabledevice needs more power. If not, “no” line 1017 shows that in step 1018the power amount available in the portable device is indicated. If it isdetermined that the portable device needs more power in step 1012, “yes”line 1015 shows that in step 1014 the secured resource provides power tothe portable device by user's operation to plug the portable device intothe secured resource. The power transmission may also be performed bywireless transmission. In step 1016, a determination is made whether thepower providing process is finished or terminated by the user. If not,“no” line 1019 leads back to step 1014 in which the power is provided tothe portable device. If it is determined that the power providingprocess is finished or terminated by the user, “yes” line 1021 showsthat in step 1018 the power amount available in the portable device isindicated. End step 1020 shows that this process ends.

FIG. 11 illustrates an example of a processing and memory module for aportable device 112 according to an embodiment of the present invention.The portable device 112 includes CPU module 1103 and memory module 1105.

The CPU 1103 and memory module 1105 are operatively coupled such thatthe CPU 1103 can perform processing of data stored in memory 1105.Typically the CPU module 1103 is a processor, such as a commerciallyavailable computer processor including an ALU and other electroniccomponents and circuitry to perform data processing.

Memory module 1105 includes power module 900, scanner module(fingerprint) 1112, proximity sensor module 1109, motion sensor module1108, camera module 1114, scanner module (retina) 1116, voicerecognition module 1118 and authentication module 1150. Also shown inFIG. 11 are I/O module 1115 and GUI 1104. The modules as described asstored in memory 1115 are typically program code that executeinstructions stored on a non-transitory, computer-readable medium andare software components that operate with hardware components, such asone or more of the sensor modules shown in FIG. 4.

Power module 900 is a storage module that is used to store the processesand steps and program code, for example, instructions stored on anon-transitory computer-readable medium that may be executed by aprocessor, such as CPU 1103, to determine whether the portable device112 is able to provide electrical power to a secured resource, asdescribed in relation to FIG. 9. The power module 900 is used totransmit a signal activating a secured resource and provide a powersignal. The power module 900 may store a threshold power value that isthe minimum power required to activate a secured resource. This minimummagnitude is used such that unnecessary power is not wasted activatingthe secured resource.

Scanner module 1112 is a module that provides computer code, such asinstructions stored on a non-transitory computer-readable medium, thatwhen used in conjunction with hardware components, permitsidentification of a biometric, such as finger print data that isobtained by a fingerprint input device, such as shown in FIG. 2 aselement 216 herein.

Proximity sensor module 1109 is, for example, program code that controlsa sensor to determine at what distance a secured resource will recognizea portable device. This distance may be based on the type of securedresource, the type of portable device, the number of possible portabledevices, the level of security of the portable device and the level ofsecurity of the secured resource. For example, if the secured resourcehas a low security threshold requirement, it will be more likely thatthe portable device will sense the secured resource. If the securedresource has a high threshold, the secured resource may not provide asignal that the portable device can detect and thus, the portable devicewill not sense that it is within a selected distance of a securedresource.

The proximity sensor module 1109 is typically a combination of hardwareand software components that can receive and transmit signals, via I/Omodule 1115. The program code module of the proximity sensor module isshown in FIG. 11 and the hardware is shown in FIG. 7 as element 740. Theproximity sensor module (hardware and software) is adapted to determineat what distance the portable device 112 can access selected portions orareas of the secured resource.

Motion sensor module 1108 is used to detect motion of a user relative toportable device 112. The motion sensor module 1108 is program codestored on, for example a non-transitory computer-readable medium thatprocesses input from sensor 406 shown in FIG. 4. The program code ofmotion sensor module 1108 determines what type of gestures a user ismaking and whether a user is within a pre-selected distance of theportable device. The sensed motion may be adequate to open or access asecured resource, such as an automatic door or other secured resourcethat may be activated merely by the presence of a user relative to aportable device.

Camera module 1114 is a shown as a memory location storing instructionsto identify images obtained from a camera or other image-obtainingdevice, such as camera 414, shown in FIG. 4. The camera module 1114 andhardware component 414 may be used to recognize a facial feature, orother image to permit access to a secured resource.

Scanner module 1116 is shown as a memory location that stores programcode that operates with a scanner, as described herein, to detect abiometric, such as retinal data to determine access to a securedresource.

Voice recognition module 1118 is shown as a memory location that storesprogram code to operate and recognize voice data, such as sounds andvoices obtained by microphone 418 shown in FIG. 4. The software of voicerecognition module 1118 is adapted to determine whether received voicesignals match stored, authorized voice signals and output a signal orother output affirming or denying a match.

Authentication module 1150 is program code stored in memory 1105 thatcan be used to store instructions that can be executed by CPU 1103 todetermine whether a secured resource is able to communicate with theportable device as well as authorize the secured resource to permitaccess to the portable device, and thus the user or holder of theportable device. The authentication module 1150 may operate inconjunction with I/O module 1115, which is, for example, a transmitter,receiver, or transceiver that operates to send and/or receive signals orauthentication data to/from a secured resource, server or other locationto facilitate operation of recognizing and/or accessing a securedresource utilizing the portable device.

GUI 1104 provides a user interface for a user to operate and control viauser input the portable device 112. It can include a keyboard, touchscreen, mouse and other input devices (not shown) as well as a screen,display or monitor (not shown) to display image data and an audio outputdevice (not shown) to output audio data.

Various embodiments of the embodiments of the present invention will nowbe described in relation to the description and figures mentioned above.For example, in some cases, the portable device itself is a securitytoken. In a keyless entry system which is widely used in officebuildings, it is sufficient to wave your badge in front of sensor nearthe door to gain access, and no other authentication is needed. In othercases, a specific portable device is needed. For example, if a retinalscan is required to access a secured resource, it does not matterwhether a user uses his/her own portable device equipped with a retinalscanner, or he/she borrows a portable device from another user, becausethe security token is the image of the user's retina, instead of theportable device itself.

It will be appreciated from the above that the invention may beimplemented as computer software, which may be supplied on a storagemedium or via a transmission medium such as a local-area network or awide-area network, such as the Internet. It is to be further understoodthat, because some of the constituent system components and method stepsdepicted in the accompanying Figures can be implemented in software, theactual connections between the systems components (or the process steps)may differ depending upon the manner in which the present invention isprogrammed. Given the teachings of the present invention providedherein, one of ordinary skill in the related art will be able tocontemplate these and similar implementations or configurations of thepresent invention.

It is to be understood that the present invention can be implemented invarious forms of hardware, software, firmware, special purposeprocesses, or a combination thereof. In one embodiment, the presentinvention can be implemented in software as an application programtangible embodied on a computer readable program storage device, such asa non-transitory computer-readable medium. The application program canbe uploaded to, and executed by, a machine, such as a processor, CPU orcompiler, comprising any suitable architecture.

The particular embodiments disclosed above are illustrative only, as theinvention may be modified and practiced in different but equivalentmanners apparent to those skilled in the art having the benefit of theteachings herein. Furthermore, no limitations are intended to thedetails of construction or design herein shown, other than as describedin the claims below. It is therefore evident that the particularembodiments disclosed above may be altered or modified and all suchvariations are considered within the scope and spirit of the invention.Although illustrative embodiments of the invention have been describedin detail herein with reference to the accompanying drawings, it is tobe understood that the invention is not limited to those preciseembodiments, and that various changes and modifications can be effectedtherein by one skilled in the art without departing from the scope andspirit of the invention as defined by the appended claims.

What is claimed is:
 1. A method for an external device to gain access toa secure area of a resource, comprising: transmitting from the externaldevice to the resource a signal that identifies the external device ascapable of authentication; receiving by the external device from theresource an initiation of communication with the resource; responding bythe external device to the initiation of communication by transmittingto the resource a listing of a plurality of authentication mechanismsthat the external device is capable of performing, the authenticationmechanisms each being a device for identifying an attribute of a user ofthe external device; receiving by the external device from the resourcean indication of a particular combination of two or more authenticationmechanisms selected from the listing of the plurality of authenticationmechanisms is adequate to gain access to the secure area; receiving bythe external device from the resource a first request for use of a firstauthentication mechanism selected from the listing of the plurality ofauthentication mechanisms; performing authentication using the firstauthentication mechanism at the external device; transmitting a firsttoken from the external device to the resource, the first tokenrepresenting a result of the first authentication mechanism; receivingby the external device from the resource another request for use ofanother authentication mechanism selected from the listing of theplurality of authentication mechanisms; performing authentication usingthe second authentication mechanism at the external device; repeatingthe transmitting a token step and receiving another request step untiltransmittal of the combination of authentication mechanisms iscompleted; and gaining access to the secure area in response toacceptance of the two or more of the tokens by the resource.
 2. Themethod of claim 1, wherein the initiation is a wireless communication.3. The method of claim 1, wherein the external device is a portabledevice.
 4. The method of claim 1, wherein the authentication mechanismis possession of the external device.
 5. The method of claim 1, whereinthe authentication mechanism is a biometric.
 6. The method of claim 1,wherein biometric includes retinal scan data.
 7. The method of claim 1,wherein the authentication mechanism is a passcode.
 8. The method ofclaim 1, wherein the external device transmits an activation signal tothe resource.
 9. The method of claim 1, wherein the external devicetransmits an electrical power generation signal to the resource.
 10. Amethod for a resource to grant access to a secure area of the resourceto an external device, comprising: receiving at the resource a signalfrom the external device that identifies itself as capable ofauthentication; initiating a communication from the resource with theexternal device; receiving from the external device a list of aplurality of authentication mechanisms that the external device iscapable of performing, the authentication mechanisms each foridentifying an attribute of a user of the external device; transmittingto the external device a first request for use of a first authenticationmechanism selected from the plurality of authentication mechanisms;receiving from the external device a first authentication token for thefirst authentication mechanism in response to the first request, thefirst authentication token being a result of authentication at theexternal device using the first authentication mechanism at the externaldevice; transmitting to the external device a second request for use ofa second authentication mechanism selected from the plurality ofauthentication mechanisms; receiving from the external device a secondauthentication token for the second authentication mechanism in responseto the second request, the second authentication token being a result ofauthentication at the external device using the second authenticationmechanism at the external device; and granting to the external deviceaccess to the secure area based upon acceptability of the authenticationtokens received in response to the first request and the second request.11. The method of claim 10, wherein the communication is a wirelesscommunication.
 12. The method of claim 10, wherein the authenticationtoken is from a biometric device.
 13. The method of claim 10, whereinthe resource transmits an activation signal to the external device. 14.The method of claim 10, wherein the resource transmits electrical powerto the external device.
 15. A portable device for gaining access to asecure area of a resource, comprising: a transmitter to transmit asignal from the portable device to the resource that identifies alisting of a plurality of authentication mechanisms that the portabledevice is capable of performing for identifying an attribute of a user;a receiver to receive at the portable device from the resource aninitiation of a communication with the resource; a controller to respondto the received initiation of the communication by transmitting to theresource two or more authentication tokens to the resource, theauthentication tokens being a result of authentication at the portabledevice using corresponding two or more authentication mechanisms of theportable device; wherein the receiver receives from the resource a firstrequest for use of a first authentication mechanism selected by theresource from the plurality of authentication mechanisms and, inresponse, the transmitter transmits to the resource a firstauthentication token, the first authentication token representing aresult of authentication at the portable device using the firstauthentication mechanism; wherein the receiver receives from theresource a second request for use of a second authentication mechanismselected by the resource from the plurality of authentication mechanismsand, in response, the transmitter transmits to the resource a secondauthentication token, the second authentication token representing aresult of authentication at the portable device using the secondauthentication mechanism; and wherein the portable device gains accessto the secure area in response to the resource receiving transmittal ofthe authentication tokens in response to the first request and thesecond request.
 16. The portable device as claimed in claim 15, whereinthe communication is a wireless communication.
 17. An authenticationunit of a resource for granting access to a secure area of the resourceto an external device, comprising: a receiver to receive a signal fromthe external device that identifies the external device as capable ofauthentication; a communicator to initiate a communication from theresource with the external device; wherein the receiver receives fromthe external device a list of a plurality of authentication mechanismsthat the external device is capable of performing, the authenticationmechanisms each for identifying an attribute of a user of the externaldevice; a transmitter to transmit to the external device a first requestto the external device for use of a first authentication token,corresponding to a first authentication mechanism selected by theauthentication unit from the list of the plurality of authenticationmechanisms, the first authentication token representing a result ofauthentication at the external device using the first correspondingauthentication mechanism of the external device; wherein the receiverreceives the first authentication token from the external device inresponse to the first request; wherein the transmitter then transmits tothe external device a second request to the external device for use of asecond authentication token corresponding to a second authenticationmechanism selected by the authentication unit from the list of theplurality of authentication mechanisms, the second authentication tokenrepresenting a result of authentication at the external device using thesecond corresponding authentication mechanism of the external device;wherein the receiver receives from the external device the secondauthentication token in response to the second request; and anauthenticator to grant the external device access to the secure areabased upon acceptability of the authentication tokens received inresponse to the first request and the second request.
 18. Theauthentication unit as claimed in claim 17, wherein the communication iswireless.